Index_S

S

S4U2Proxy Extension, 167–68

defined, 167

illustrated, 168

S4U2Self combined operation, 172

security hole, 168

See also Kerberos

S4U2Self Extension, 170–72

defined, 170–71

operation, 171

S4UProxy combined operation, 172

SAFER policies, 395, 400

Samba, 272–74, 278–86

architecture, 279

defined, 272

features/functionality, 273

functions, 272–73

future, 274

Kerberos and, 278

NTLM authentication support, 278

Winbind, 295–96

Scalability

KDC provision, 141–42

PKI, 443

Scripting enrollment interface, 559

Secondary Logon Service (SLS), 120–22

Secure Attention Sequence (SAS), 106

Secure channels

defined, 93

in key hierarchy, 144

management tools, 95–98

security registry hacks, 96

services, fine-tuning, 95

setup control, 94

setup service, 94

setup time, 93

troubleshooting tools, 96–97

trusts and, 93–98

validating, 94–95

in Windows environment, 93

Secure MIME (S/MIME), 568, 569, 667–79

basics, 667–69

clear signing, 674–75

configuration in Exchange 2003, 671

content types/services, 669

defined, 667

dual-key-pair system, 670

Enhanced Security Services (ESS), 675–78

Exchange Server support, 669–70

functionality, 671

mail clients, 675

Microsoft mail client support, 670–74

opaque signing, 674–75

operation, 668

Outlook 2003 registry settings, 673

Outlook client features, 672

OWA, 672

OWA support setup, 673

security extensions, 668–69

signatures, 670

signed receipt tracking information, 677

Secure Sockets Layer (SSL), 209, 223

browser-side revocation check error, 233

cache, clearing, 229

certificate validation, 231

configuration from Directory Security tab, 228

configuring, 229

crypto accelerator devices, 234

downloading, 223

in firewall environment, 235–39

lock symbol, 224

Passport use, 242

in proxy environment, 235–39

security services, 223–24

setup, 225–29

tunneling, 235–36

in Web load balancing environment, 235

Web server certificate wizard, 225, 226

See also SSL bridging

SecurID plug-in, 210, 211

Security Accounts Manager (SAM), 30

Security administration infrastructures, 5, 13–17

directories, 13–14

integration, 13

provisioning systems, 14–17

See also Trusted security infrastructures (TSIs)

Security architecture, 3

Security Assertion Markup Language (SAML), 259, 317

Security authorities, 29–37

domain, 32–37

illustrated, 30

local (LSA), 29–32

security principals and, 39

trust relationships and, 70

Security Configuration Editor and Analysis tool (SCE/SCA), 695

switches, 700

uses, 700

Security Configuration Wizard (SCW), 701–2

availability, 702

defined, 701

illustrated, 701

Security Descriptor Definition Language (SDDL), 363

Security identifiers (SIDs), 38, 43–46

defined, 43

generation, 44

GUIDs vs., 44

history, 358–59

predefined layouts, 45

structure, 45

top-level authorities, 46

uniqueness, 43

well-known, 46, 47–48

See also SID filtering

Security management, 687–720

auditing, 712–20

infrastructures, 4–5

patch, 704–12

policy, 687–704

Security Patch Bulletin Catalog, 704

Security patch management, 704–12

MBSA, 705–6

Qchain, 711

Software Update Services (SUS), 708–11

third-party tools, 712

Windows Update service, 706–8

Security policies, 402–3

CAS types, 403

default evaluation process, 411

distributing, 408

enforcement, 412–15

evaluation, 402, 409–12

evaluation order, 409

life cycle, 687, 688–89

management, 406–8

See also Code Access Security (CAS)

Security policy management, 687–704

GPOs, 689–700

Group Policy, 689–90

Microsoft Baseline Security Analyzer (MBSA), 702–3

overview, 703–4

policy life cycle, 687, 688–89

Security Configuration Editor, 700–701

Security Configuration Wizard (SCW), 701–2

third-party tools, 703

Security principals, 37–68

account lookouts, 60–67

AD replication mechanisms, 67–68

defined, 37

identifiers, 40–46

iNetOrgPerson, 39

password credentials, 46–60

security authority and, 39

SIDs, 38, 43–46

uses, 37

verifying, 38–39

See also Security identities (SIDs)

Security reference monitors (SRMs), 10, 329

in ACL evaluation process, 354–55

checking access tokens, 330

decisions, 330, 331

Security-related auditing, 712–20

Security Support Provider Interface (SSPI), 108, 266

as API, 109

negotiate, role, 110

PAM vs., 266

workbench, using, 111

Security Support Providers (SSPs), 108

defined, 109

multiple, 110

Security Templates MMC snap-in, 698

Selective authentication, 88–90

defined, 88

enabling, 89

See also Forest trusts

SelfRA, 553–54

SelfSSL, 227

Server for NIS, 276–78

architecture, 277

defined, 276

one-directional password synchronization, 277

Windows DC, 276

Server Message Block (SMB), 113

Server-side credential caching, 312–13

authentication, 312

products, 313

security, 313

SSO architecture, 312

Service principle names (SPNs), 42–43

defined, 42

parts, 42–43

role, in single domain environment logon, 155

Services for UNIX (SFU), 275

Password Synchronization, 282–85

server for NIS, 276–78

User Name Mapping Service, 279–81

Session keys

defined, 144

distribution, 145–46

for sealing messages, 151

for signing messages, 151

See also Kerberos; master keys

Setprfdc.exe, 97, 98

Setspn, 200

Shortcut trusts, 159–60

SID filtering, 90–91

defined, 90

enabling, 91

illustrated, 91

protection, 90

See also Forest trusts

Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), 293

Simple Authentication and Security Layer (SASL), 293

Simple Network Time Protocol (SNTP), 114

Single domain logon, 152–55

disabling Kerberos and, 154–55

illustrated, 153

local process, 152–53

network process, 153–54

SPNs role, 155

See also Kerberos

Single sign-on (SSO), 2, 299–327

authentication-related, 299

credentials, 300

extending, 314–18

extranet, 8

IAS, 325

with multiple authentication authorities, 304

with multiple authentication servers, 303

Passport, 255

pros/cons, 299–300

scope, 302

with single authentication authority, 301, 303

with single authentication server, 301

with single set of credentials, 304–8

user requirement, 275

Windows Server 2003/XP technologies, 319–26

See also SSO architectures

Smartcard Enrollment Control (SEC), 563

Smart card logon process, 186–90

illustrated, 190

steps, 189–90

trust model, 189

Smart cards

certificate enrollment station interface, 682

credentials, enrolling, 681–83

identification advantages, 683–84

leveraging, 679–85

logon, 683–85

logon interface, 684

management software, 685

management systems, 685

PIN codes and, 680

support, 680–81

vendors, 680

SMS SUS Feature Pack, 710–11

SMTP security, 678–79

Software-based storage, 481

Software restriction policies (SRPs), 393, 394–400

CAS comparison, 415–16

defined, 394

designated file-type properties, setting, 398

distributing, 395–96

enforcing, 395–96

event logging, 400

fine-tuning, 396–98

“lower-quality,” 398

managing, 395–96

rules, 398–400

sample rule scenario, 400

sol.exe-related, 399

See also Malicious mobile code (MMC) protection

Software Update Services (SUS), 704

administration interface, 710

client registry keys, 710

defined, 708

MBSA integration with, 705

server, 709

SMS Feature Pack, 710–11

software download, 709

SSL bridging, 236–39

defined, 236

illustrated, 237, 238

setup, 237–38

setup in MS ISA server environment, 238

setup with OWA Publishing Wizard, 239

See also Secure Sockets Layer (SSL)

SSO architectures, 301–14

complex, 303–14

credential synchronization, 309–10

different, advantages/disadvantages, 315

with multiple credentials, 308–14

PKI-based, 307–8

secure client-side credential caching, 310–11

secure server-side credential caching, 312–14

simple, 301–3

summary, 314

token-based, 305–6

Strong private key protection, 490–91

Symmetric cryptography, 140

System ACLs (SACLs), 333